From-sip-external logs - what

A couple of weeks ago we had a couple of extensions compromised and since then I have made it my mission to secure our box as far as I can. fail2ban, ipset, voipbl and very strong passwords and monitoring our CDR and “SIP registration” logs for strange IP’s has become part of my daily routine.

I have however noted a number of logs which appears to come from a “sip scanner” referring to Destination “s[from-sip-external]” - Logically I assume this is another SIP server dialing our SIP server but I am curious:

  1. What are the attacker trying to achieve? Are they scanning for extensions our possible open routes?
  2. What can I do (if anything) to avoid / stop this? We make use of 2 outbound providers to dial through and our phones unfortunately do not register from a static IP so I cannot fully “lock” the server down to a select set of IP’s
  3. My understanding is that someone can make outbound calls by dialing and having an extension answered (I guess voicemail as well), then press # twice followed by a number and then they can make external calls through an extension. Is this something we can block?

I have already disabled voicemail on all of our extensions just in case :slight_smile:

For biggest immediate result, don’t ‘listen’ on UDP/5060

Next, only accept SIP packets to your domain name drop anything to yor IP

Use TLS if you can, if you cant use TCP

1 Like

Calls arriving in context from-sip-external are either due to misconfigured trunks or unwanted nuisance calls from malicious users. You can eliminate them by disabling allow guests and allow anonymous in Asterisk SIP Settings.

Do you know the source of the compromise? Unless the SIP secrets were easy to guess, the most common source for this exploit is not securing the provisioning services.

Hi Dicko, thank you, I have scheduled this for maintenance (will need to do to this over a weekend as it will require some trial and error)

I have now disabled “Allow SIP Guests” as Anonymous was already disabled.

We suspect it was a weak password but the guy was able to reregister on another extension a couple of days later (which had a very strong password). We even considered a security breach at Zoiper as both extensions used Zoiper. I have been monitoring SIP registrations since then daily and after implimenting fail2ban, ipset and voipbl (and doing it properly) the issue have since dissapeared.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.